Background and PDPC’s decision
- The Personal Data Protection Commission (PDPC) earlier this month imposed a S$25,000 financial penalty on Singtel arising out of a complaint that there was a vulnerability in the design of the application programming interface of Singtel’s “My Singtel” mobile application.
- This vulnerability put the account information of some 330,000 of Singtel’s customers at risk and indeed, 4 such customers had their account information (name, billing address, account number, mobile phone number and service plan) accessed.
- Whilst Singtel did carry out regular penetration tests on their app and backend systems, it did not conduct a full code review. The review would have uncovered the vulnerability, something that could not be achieved by a penetration test.
- The PDPC found that Singtel was not diligent in ensuring the security of its App and had thus breached its protection obligations under the Personal Data Protection Act (PDPA).
Organisations should conduct a complete and thorough review of their computer systems (including websites and mobile applications) and security arrangements on a regular basis to ensure that there are no vulnerabilities that could lead to an unauthorised disclosure of personal data.
Additionally, it appears that all organisations are required to have knowledge of all common and well-known security risks and issues associated with computer systems. Organisations should then review or have reviewed the source codes of the systems in used and if any of these common and well known security risks are present, to have them addressed.
The absence of any specific guidelines regarding the programming of mobile apps is not a mitigating factor. In this case, the PDPC considered that building a mobile app was not very different from building a website. As such, Singtel should have taken on board the points raised in the PDPC’s “Guide to Building Websites for SMEs”.
Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.